system logging is not

Marty Landman mlandman at face2interface.com
Wed Feb 15 12:28:16 UTC 2006


At 09:50 AM 2/14/2006, McDougall, Marshall (FSH) wrote:
>The fact that most of those files are empty(hacker like activity) and
>there are no .1, .2 etc does not look good. Did you do something at
>18:04?

No, not that I can think of.

>   Run a netstat and see what/who you are listening for or connected to.

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
216.238.192.133 0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         216.238.192.133 0.0.0.0         UG        0 0          0 ppp0
$

Look normal, doesn't it?

>   Wtmp is time stamped 1.5 hrs later. Run last, it might
>tell you who was there or what id was compromised.

]$ sudo last
marty    pts/0        nosoup4u         Tue Feb 14 15:42   still logged in
marty    pts/0        nosoup4u         Mon Feb 13 20:41 - 22:05  (01:24)
root     pts/0        :0.0             Mon Feb 13 18:20 - 20:41  (02:20)
root     :0                            Mon Feb 13 18:20 - 18:46  (00:25)
reboot   system boot  2.4.20-8         Mon Feb 13 18:18          (21:39)
reboot   system boot  2.4.20-8         Mon Feb 13 18:14          (21:43)
marty    pts/1        :0.0             Mon Feb 13 18:06 - down   (00:06)
marty    :0                            Mon Feb 13 18:06 - down   (00:06)
marty    pts/0        nosoup4u         Mon Feb 13 18:05 - down   (00:07)
reboot   system boot  2.4.20-8         Mon Feb 13 18:04          (00:08)

wtmp begins Mon Feb 13 18:04:26 2006
$

BTW nosoup4u is my Windows workstation - I'm ssh'd into the RH box.

>  Look in /tmp for anything unusual.  Isolate it from your network.

$ ls -al /tmp
total 572
drwxrwxrwt  12 root     root         4096 Feb 14 04:02 .
drwxr-xr-x  20 root     root         4096 Feb 13 18:33 ..
drwxrwxrwt   2 root     root         4096 Feb 13 18:46 .ICE-unix
-r--r--r--   1 root     root           11 Feb 13 18:46 .X0-lock
drwxrwxrwt   2 root     root         4096 Feb 13 18:46 .X11-unix
srwx------   1 root     nobody          0 Feb 13 18:20 .fam_socket
drwxrwxrwt   2 xfs      xfs          4096 Feb 13 18:19 .font-unix
srw-rw-rw-   1 root     root            0 Feb 13 18:19 .gdm_socket
-rw-rw-rw-   1 root     root       464160 Feb 10 10:04 irc.tar.gz
drwx------   2 joel     users        4096 Dec  5 16:27 orbit-joel
drwx------   2 marty    marty       12288 Feb 13 18:13 orbit-marty
drwx------   2 root     root        12288 Feb 13 18:46 orbit-root
drwxr-xr-x   2 marty    marty        4096 Dec  3 15:06 samba
-rwxr--r--   1 root     root        44377 Feb 13 18:41 scrollkeeper-tempfile.0
drwx------   2 marty    marty        4096 Dec 11 18:49 ssh-XXRI9PKz
drwx------   2 root     root         4096 Jan  3 13:32 ssh-XXgHv7Ve
drwxrwxrwt   3 marty    marty        4096 Jan 26 19:04 uscreens
[marty at BANYAN ~]$ ls -al /tmp/samba
total 8
drwxr-xr-x   2 marty    marty        4096 Dec  3 15:06 .
drwxrwxrwt  12 root     root         4096 Feb 14 04:02 ..
$

>Good luck.

I removed everything on /tmp and rebooted, system still can't create 
/var/log/messages. It also is now unable to start X-Windows on the console. 
What might I do next here?

Marty



>-----Original Message-----
>From: redhat-list-bounces at redhat.com
>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Marty Landman
>Sent: Monday, February 13, 2006 8:10 PM
>To: redhat-list at redhat.com
>Subject: system logging is not
>
>
>My RH9 gateway suddenly seems to have developed some problems today. The
>
>only thing special I recall doing was to change from a netgear hub to a
>linksys switch and add an 8th box to my lan. There is also a netgear
>switch
>to which this box is plugged in which used to uplink to the netgear hub
>but
>now uplinks to the linksys switch. All 8 computers were visible from my
>Win
>xp workstation after doing that btw.
>
>Later I noticed that samba didn't seem to be working on my Win XP
>workstation - although it can SSH to the RH box. And it's still
>functioning
>as my LAN gateway. Saw a bunch of attempts on /var/log/samba/.log (is
>that
>a kosher name btw?) evidence of attempted break-ins from a day or two
>ago.
>
>So not knowing what else to do I rebooted - windows user instinct :).
>Noticed during the reboot that system logging and httpd startup both
>FAILED. OTOH using Nautilus from the console I could find the other 7
>computers on the network, but not this computer itself.
>
>Here's some shell stuff that I think illustrates some of what's going
>on:
>
>[marty at BANYAN ~]$ pwd
>/home/marty
>[marty at BANYAN ~]$ ls -al /var/log
>total 324
>drwxr-xr-x   2 root     root         4096 Feb 13 18:46 .
>drwxr-xr-x  21 root     root         4096 Jul 30  2005 ..
>-rw-r--r--   1 root     root        28509 Feb 13 18:46 XFree86.0.log
>-rw-r--r--   1 root     root        28584 Feb 13 18:20 XFree86.0.log.old
>-rw-------   1 root     root            0 Feb 13 18:04 boot.log
>-rw-------   1 root     root            0 Feb 13 18:04 cron
>-rw-r--r--   1 root     root         6532 Feb 13 18:18 dmesg
>-rw-r--r--   1 root     root        65631 Feb 13 18:18 ksyms.0
>-rw-r--r--   1 root     root        65631 Feb 13 18:14 ksyms.1
>-rw-r--r--   1 root     root        65631 Feb 13 18:04 ksyms.2
>-rw-------   1 root     root            0 Feb 13 18:04 maillog
>-rw-------   1 root     root            0 Feb 13 18:04 messages
>-rw-------   1 root     root            0 Feb 13 18:04 secure
>-rw-------   1 root     root            0 Feb 13 18:04 spooler
>-rw-------   1 root     root          315 Feb 13 18:12 sudolog
>-rw-rw-r--   1 root     utmp        30336 Feb 13 20:41 wtmp
>[marty at BANYAN ~]$ df
>Filesystem           1K-blocks      Used Available Use% Mounted on
>/dev/hdd1              5278644   2073532   2936972  42% /
>/dev/hda1                99251      9324     84802  10% /boot
>none                    127664         0    127664   0% /dev/shm
>/dev/hda2              4035432     33080   3797360   1% /mnt/kramer
>/dev/hdb1            241263968  32998936 196009448  15% /mnt/maestro
>[marty at BANYAN ~]$ top
>top: error while loading shared libraries: libncurses.so.4: cannot open
>shared object file: No such file or directory
>[marty at BANYAN ~]$
>
>
>-----------------------------------------------
>
>At this point I wonder if my computer's been hijacked or somehow
>corrupted.
>Either way not sure what do to next.
>
>Thanks in advance,
>
>Marty
>
>
>Marty Landman, Face 2 Interface Inc. 845-679-9387
>Webmaster's Bulletin Board: http://bbs.face2interface.com/
>Web Installed Formmail: http://face2interface.com/formINSTal
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list

Marty Landman, Face 2 Interface Inc. 845-679-9387
Webmaster's Bulletin Board: http://bbs.face2interface.com/
Web Installed Formmail: http://face2interface.com/formINSTal  




More information about the redhat-list mailing list